Synergistic dns security update

ABSTRACT

Systems and methods provide for synergistic domain name system DNS security updates for an enterprise network operating under a Software Defined Wide Area Network (SD-WAN). A system may be configured to collect positive and/or negative unified threat defense (UTD) results, deploy a rules-based model that, when a threat or clearance is detected across several SD-WAN edge network devices, triggers an update to a local security blacklist/whitelist, wherein the update comprises a signature, and push the update to other devices that have not yet seen the threat or clearance.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional of U.S. Non-Provisional patentapplication Ser. No. 16/567,435, filed on Sep. 11, 2019, which claimsthe benefit of priority to U.S. Provisional Patent Application No.62/774,102, filed on Nov. 30, 2018, all of which are hereby expresslyincorporated herein by reference in its entirety and for all purpose.

FIELD

The present embodiments generally relate to systems and methods thatprovide for synergistic Domain Name System (DNS) security updates in anetwork based on threat detection via local security policies on edgenetwork devices.

BACKGROUND

The enterprise network landscape is continuously evolving. There is agreater demand for mobile and Internet of Things (IoT) device traffic,Software as a Service (SaaS) applications, and cloud adoption. Inaddition, security needs are increasing and certain applications canrequire prioritization and optimization for proper operation. As thiscomplexity grows, there is a push to reduce costs and operating expenseswhile providing for high availability and scale.

Conventional WAN architectures are facing major challenges under thisevolving landscape. Conventional WAN architectures typically consist ofmultiple Multi-Protocol Label Switching (MPLS) transports, or MPLSpaired with Internet or Long-Term Evolution (LTE) links used in anactive/backup fashion, most often with Internet or SaaS traffic beingbackhauled to a central data center or regional hub for Internet access.Issues with these architectures can include insufficient bandwidth, highbandwidth costs, application downtime, poor SaaS performance, complexoperations, complex workflows for cloud connectivity, long deploymenttimes and policy changes, limited application visibility, and difficultyin securing the network.

In recent years, software-defined wide-area network (SD-WAN) solutionshave been developed to address these challenges. SD-WAN is part of abroader technology of software-defined networking (SDN). SDN is acentralized approach to network management which can abstract away theunderlying network infrastructure from its applications. Thisde-coupling of data plane forwarding and control plane can allow anetwork operator to centralize the intelligence of the network andprovide for more network automation, operations simplification, andcentralized provisioning, monitoring, and troubleshooting. SD-WAN canapply these principles of SDN to the WAN.

To secure the SD-WAN, a cloud-delivered secure internet gateway can beused to provide the first line of defense against threats on theInternet. The cloud-delivered secure internet gateway can include aDomain Name System (DNS) security platform, a hierarchical decentralizednaming system for computers, services, or other resources connected tothe Internet or a private network. The DNS associates a variety ofinformation with domain names assigned to each of the participatingentities. Most prominently, it translates more readily memorized domainnames to the numerical IP addresses needed for locating and identifyingcomputer services and devices with the underlying network protocols.

DNS security platforms, like Cisco Umbrella, can deliver completevisibility into Internet activity across all devices on a network andblock threats before they reach the network. The DNS security platformcan stop phishing, malware infections, and proactively block requests tomalicious destinations before a connection is established. Morespecifically, the DNS delegates the responsibility of assigning domainnames and mapping those names to Internet resources by designatingauthoritative name servers for each domain. Network administrators maydelegate authority over sub-domains of their allocated name space toother name servers. This mechanism provides distributed andfault-tolerant service and was designed to avoid a single large centraldatabase.

Various DNS security platforms (e.g., Cisco Umbrella, OpenDNS, etc.)provide additional security features on top of the DNS. In many cases,these DNS security platforms may be provided as a cloud service. TheseDNS security platforms may be configured to, for example, use theInternet's infrastructure to block malicious destinations before aconnection is ever established. The platforms may use DNS to stopthreats over all ports and protocols—even direct-to-IP connections.Instead of proxying all web traffic, the platforms may route requests torisky domains for deeper URL and file inspection. The platforms caneffectively protect without delay or performance impact. Even if devicesbecome infected in other ways, the platforms may prevent connections toattacker's servers. The platforms can further stop data exfiltration andexecution of ransomware encryption.

DNS security platforms often rely on a remotely hosted source of truththat is periodically updated, and is not prepared to respond dynamicallyto emerging threats. For example, the DNS security platform may maintaina list of IPs and/or domains associated with threats, and once a flowhas passed the security platform, it may be processed by a unifiedthreat defense (UTD) policy, which detects threats based on the actualbehavior of the application. The result of the computationally intensiveUTD process is not used to update local or remote security DNS policy.The information generated by UTD is a very rich data set that, ifcollected directly, presents serious scale challenges.

DNS security platforms, like Umbrella, can each have its own logic forupdating information about which URLs are associated with threats, suchas having several other features, including IPS/IDS, app-firewall, andAMP that are much more computationally intensive, but also moreaccurate. Some hierarchical architectures allow for the aggregation ofinformation across nodes about threats that have passed through the DNSsecurity platform but have been flagged by other security features.Therefore it would be desirable and advantageous for a DNS securityplatform to be able to aggregated information to improve theresponsiveness of all nodes in the network to emerging threats, to avoidduplicating computationally intensive security checks, and to improvethe trust scores maintained by the remote server of DNS securityplatforms.

BRIEF DESCRIPTION OF THE FIGURES

To provide a more complete understanding of the present disclosure andfeatures and advantages thereof, reference is made to the followingdescription, taken in conjunction with the accompanying drawings, inwhich:

FIG. 1A illustrates an example of a high-level network architecture inaccordance with an embodiment;

FIG. 1B illustrates an example of a high-level architecture of a DNSsecurity system in accordance with an embodiment;

FIG. 2 illustrates an example of a network topology in accordance withan embodiment;

FIG. 3 illustrates an example of a diagram showing the operation of aprotocol for managing an overlay network in accordance with anembodiment;

FIG. 4A illustrates a diagram of a Software-Define Wide Area Network(SD-WAN) showing how DNS security updates can be executed in a localWide Area Network (WAN) in accordance with an embodiment;

FIG. 4B illustrates a diagram showing a policy hierarchy of the securitypolicies that can be executed on the edge network devices in accordancewith an embodiment;

FIG. 5A illustrates an example of a flow diagram of a process forpropagating security policies via the network controller appliances inthe SD-WAN in accordance with an embodiment;

FIG. 5B illustrates another example of a flow diagram of a process forpropagating security policies via the edge network devices in the SD-WANin accordance with an embodiment;

FIG. 6 illustrates an example of a network device in accordance with anembodiment; and

FIGS. 7A and 7B illustrate examples of systems in accordance with someembodiments.

DETAILED DESCRIPTION

The detailed description set forth below is intended as a description ofvarious configurations of embodiments and is not intended to representthe only configurations in which the subject matter of this disclosurecan be practiced. The appended drawings are incorporated herein andconstitute a part of the detailed description. The detailed descriptionincludes specific details for the purpose of providing a more thoroughunderstanding of the subject matter of this disclosure. However, it willbe clear and apparent that the subject matter of this disclosure is notlimited to the specific details set forth herein and may be practicedwithout these details. In some instances, structures and components areshown in block diagram form in order to avoid obscuring the concepts ofthe subject matter of this disclosure.

Overview

Systems and methods provide for synergistic DNS security updates. Asystem may be configured to collect negative unified threat defense(UTD) results, deploy a rules-based model that, when a threat isdetected across several SD-WAN edges, triggers an update to a localsecurity blacklist, wherein the update comprises a threat signature, andpush the update to other devices that have not yet seen the threat.

A computer-implemented method, in accordance with one embodiment, cancomprise receiving, via a network controller appliance 132 of asoftware-defined wide-area network (SD-WAN), an upstream update 107 afrom the edge network device 142 a that comprises a threat signature 105associated with a threat detected by the edge network device 142 a;triggering a temporary update to add the detected treat as a negativeunified threat defense (UTD) result in a local domain name system (DNS)blacklist; and pushing a downstream update 107 b that comprises thethreat signature 105 to a device group comprising other edge networkdevices 142 b that have not yet seen the threat.

The computer-implemented method can further comprise deploying arules-based model that the temporary update is triggered to add thedetected threat to the local DNS blacklist when the threat is detectedacross several edge network devices 142. The detected threat can bedetected by a locally-implemented advanced security policy 103 b on theedge network device and was not detected by an associated cloud securitysystem 101 having a domain name system security platform. Thelocally-implemented advanced security policy 103 b can be one of thefollowing policies: Unified Threat Defense (UTD), IPSec/SSL IntrusionDetection and Prevention System (IPS/IDS), Advanced Malware Protection(AMP), Anti-virus Protection (AV), Data Loss Prevention (DLP),Application Firewall (AppFW), or Encrypted Traffic Analytics (ETA). Theother edge network devices 142 b can be associated with a partner VPN ofthe edge network device 142 a.

The computer-implemented method can further comprise collecting a streamof negative unified threat defense (UTD) results at the networkcontroller appliance 132; and sending a pre-processed and condensed DNSblacklist associated with the stream of negative UTD results to theassociated cloud security system 101. The upstream and downstreamupdates can be new message types in an address family in OMP messages.The device group is limited to other edge network devices in the SD-WANthat do not have locally-implemented advanced security policies 103 benabled. The threat signature 105 can comprise protocol header fieldsincluding an IP address, port, protocols, and other attributes includingpacket length.

A system, in accordance with one embodiment, can comprise one or moreprocessors; and one or more non-transitory computer-readable media thatinclude computer-readable instructions stored thereon that areexecutable by the one or more processors to perform or controlperformance of operations, the operations comprising: receive, via anetwork controller appliance 132 of a software-defined wide-areanetwork, an upstream update 107 a from an edge network device 142 a thatcomprises a threat signature 105 associated with a threat detected bythe edge network device 142 a; trigger a temporary update to add thedetected treat as a negative unified threat defense (UTD) result in alocal domain name system (DNS) blacklist; push a downstream update 107 bthat comprises the threat signature 105 to other edge network devices142 b that have not yet seen the threat.

An edge network device 142, in accordance with one embodiment, cancomprise one or more processors; and one or more non-transitorycomputer-readable media that include computer-readable instructionsstored thereon that are executable by the one or more processors toperform or control performance of operations, the operations comprising:query a local domain name system (DNS) blacklist/whitelist on the edgenetwork device 142 regarding a domain; push, in response to a firstanswer that the domain is not on the local DNS blacklist/whitelist, aquery regarding the domain to an advanced DNS security 414 at theassociated cloud security system 101; query, in response to a secondanswer that the domain is cleared at the advanced DNS security 414, alocally-implemented advanced securities policy 103 b on the edge networkdevice 142; detect the threat or clearance regarding an associateddomain via the locally-implemented advanced securities policy 103 b; andsend the upstream update 107 a from the edge network device 142 thatincludes the signature 105 associated with the detected threat orclearance to the network controller appliance 132 of a software-definedwide-area network. The operations of the edge network device 142 canfurther comprise the following steps: notify the associated cloudsecurity system 101 to update its DNS blacklist/whitelist with respectto the threat; and receive an update from the network controllerappliance 132 to void the detected threat and place the domain on thelocal DNS whitelist.

Example Embodiments

FIG. 1A illustrates an example of a network architecture 100A forimplementing aspects of the present technology. An example of animplementation of the network architecture 100A is the Cisco® SoftwareDefined Wide Area Network (SD-WAN) architecture. However, one ofordinary skill in the art will understand that, for the networkarchitecture 100A and any other system discussed in the presentdisclosure, there can be additional or fewer component in similar oralternative configurations. The illustrations and examples provided inthe present disclosure are for conciseness and clarity. Otherembodiments may include different numbers and/or types of elements butone of ordinary skill the art will appreciate that such variations donot depart from the scope of the present disclosure.

In this example, the network architecture 100A can comprise anorchestration plane 102, a management plane 120, a control plane 130,and a data plane 140. The orchestration plane 102 can assist in theautomatic on-boarding of edge network devices 142 (e.g., switches,routers, etc.) in an overlay network. The orchestration plane 102 caninclude one or more physical or virtual network orchestrator appliances104. The network orchestrator appliance(s) 104 can perform the initialauthentication of the edge network devices 142 and orchestrateconnectivity between devices of the control plane 130 and the data plane140. In some embodiments, the network orchestrator appliance(s) 104 canalso enable communication of devices located behind Network AddressTranslation (NAT). In some embodiments, physical or virtual Cisco®SD-WAN vBond appliances can operate as the network orchestratorappliance(s) 104.

The management plane 120 can be responsible for central configurationand monitoring of a network. The management plane 120 can include one ormore physical or virtual network management appliances 122. In someembodiments, the network management appliance(s) 122 can providecentralized management of the network via a graphical user interface toenable a user to monitor, configure, and maintain the edge networkdevices 142 and links (e.g., Internet transport network 160, MPLSnetwork 162, 4G/LTE network 164) in an underlay and overlay network. Thenetwork management appliance(s) 122 can support multi-tenancy and enablecentralized management of logically isolated networks associated withdifferent entities (e.g., enterprises, divisions within enterprises,groups within divisions, etc.). Alternatively or in addition, thenetwork management appliance(s) 122 can be a dedicated networkmanagement system for a single entity. In some embodiments, physical orvirtual Cisco® SD-WAN vManage appliances can operate as the networkmanagement appliance(s) 122.

The control plane 130 can build and maintain a network topology and makedecisions on where traffic flows. The control plane 130 can include oneor more physical or virtual network controller appliance(s) 132. Thenetwork controller appliance(s) 132 can establish secure connections toeach network device 142 and distribute route and policy information viaa control plane protocol (e.g., Overlay Management Protocol (OMP)(discussed in further detail below), Open Shortest Path First (OSPF),Intermediate System to Intermediate System (IS-IS), Border GatewayProtocol (BGP), Protocol-Independent Multicast (PIM), Internet GroupManagement Protocol (IGMP), Internet Control Message Protocol (ICMP),Address Resolution Protocol (ARP), Bidirectional Forwarding Detection(BFD), Link Aggregation Control Protocol (LACP), etc.). In someembodiments, the network controller appliance(s) 132 can operate asroute reflectors. The network controller appliance(s) 132 can alsoorchestrate secure connectivity in the data plane 140 between and amongthe edge network devices 142. For example, in some embodiments, thenetwork controller appliance(s) 132 can distribute crypto keyinformation among the network device(s) 142. This can allow the networkto support a secure network protocol or application (e.g., InternetProtocol Security (IPSec), Transport Layer Security (TLS), Secure Shell(SSH), etc.) without Internet Key Exchange (IKE) and enable scalabilityof the network. In some embodiments, physical or virtual Cisco® SD-WANvSmart controllers can operate as the network controller appliance(s)132.

The data plane 140 can be responsible for forwarding packets based ondecisions from the control plane 130. The data plane 140 can include theedge network devices 142, which can be physical or virtual networkdevices. The edge network devices 142 can operate at the edges variousnetwork environments of an organization, such as in one or more datacenters or colocation centers 150, campus networks 152, branch officenetworks 154, home office networks 154, and so forth, or in the cloud(e.g., Infrastructure as a Service (IaaS), Platform as a Service (PaaS),SaaS, and other cloud service provider networks). The edge networkdevices 142 can provide secure data plane connectivity among sites overone or more WAN transports, such as via one or more Internet transportnetworks 160 (e.g., Digital Subscriber Line (DSL), cable, etc.), MPLSnetworks 162 (or other private packet-switched network (e.g., MetroEthernet, Frame Relay, Asynchronous Transfer Mode (ATM), etc.), mobilenetworks 164 (e.g., 3G, 4G/LTE, 5G, etc.), or other WAN technology(e.g., Synchronous Optical Networking (SONET), Synchronous DigitalHierarchy (SDH), Dense Wavelength Division Multiplexing (DWDM), or otherfiber-optic technology; leased lines (e.g., T1/E1, T3/E3, etc.); PublicSwitched Telephone Network (PSTN), Integrated Services Digital Network(ISDN), or other private circuit-switched network; small apertureterminal (VSAT) or other satellite network; etc.). The edge networkdevices 142 can be responsible for traffic forwarding, security,encryption, quality of service (QoS), and routing (e.g., BGP, OSPF,etc.), among other tasks. In some embodiments, physical or virtualCisco® SD-WAN vEdge routers can operate as the edge network devices 142.

FIG. 1B illustrates a network architecture 100B including a DNS cloudsecurity system 101 configured to operate with the network architecture100A. The edge network devices 142 (142 a, 142 b) can have variouslocally-implemented security services 103. For example, the edge networkdevice 142 can implement a local domain name system (DNS)blacklist/white list 103 a as a basic DNS security policy, which canalso allow customization that is specific to a particular enterprise.The various locally-implemented security services 103 can include morelocally-implemented advanced security policies 103 b, such as UnifiedThreat Defense (UTD), IPSec/SSL Intrusion Detection and PreventionSystem (IPS/IDS), Advanced Malware Protection (AMP), Anti-virusProtection (AV), data loss prevention (DLP), Application Firewall(AppFW), Encrypted Traffic Analytics (ETA), etc., which can be embeddedand enabled on selected edge network devices 142 based on platformcapabilities. These advanced security policies can identify threats thatthe cloud security service 101 may not have identified as threats. Also,the DNS cloud security system 101 can occasionally update 109 the UTDpolicies on the edge network devices 142. Edge network devices 142 withadvanced DNS security 414 can redirect DNS requests to internet domains(local domains may be bypassed) to the DNS cloud security system 101when the edge network devices 142 are subjected to DNS security checksand valid/non-malicious domains will receive the resolved IP addressesas a DNS response. The DNS cloud security system 101 may give a proxy IPaddress if the DNS cloud security system 101 wants to subjectapplication traffic to additional security checks. When Applicationsecurity via Tunnels is configured on the edge network devices 142, thenselected Application traffic (Direct Internet Access traffic) receivedon the edge network devices 142 can be tunneled to the DNS cloudsecurity system 101 for additional security functions like Firewall, IPSand others.

In addition, the network controller appliance 132 can collect negativeor positive UTD results and intermittently send a pre-processed andcondensed DNS blacklist/whitelist 111 to the DNS cloud security system101 for use in enriching and updating trustworthiness scores.

The one or more network controller appliances 132 may be configured tomanage the network architecture 100A and may be responsible for managingall control and data policies by using special Overlay ManagementProtocol (OMP), as discussed in greater detail further below. Threatscan be detected by the locally-implemented security services 103, wherea threat signature 105 can be sent upstream via an upstream OMP message107 a to the network controller appliances 132. The network controllerappliances 132 can add the threat signature 105 (may be specific to theenterprise it is serving) and can push the threat signature 105downstream via a downstream OMP message 107 b propagating to other edgenetwork devices 142 b. The upstream and downstream OMP messages 107 a,107 can be new message types in an address family in the OMP messages.The other edge network devices 142 b may not have been capable ofperforming one or some of the advanced security policies, and may nothave otherwise been able to detect such a threat.

By rerouting traffic away from security servers of the DNS cloudsecurity system 101, this offers a better ability to scale the DNS cloudsecurity system 101, wherein the SD-WAN specific network controllerappliances layer 130 can take into consideration customer networktopology, device type and capabilities, and applications seen on certainedge network devices 142. Threat signatures may comprise protocol headerfields like IP addresses, ports, protocols, and/or other attributes likepacket length. The edge network devices 142 receiving these threatsignatures can use basic classification of the traffic using an accesscontrol list (ACL) and if a match is found, the edge network devices 142can prevent the threat instead of redirecting the traffic to the DNScloud security system 101, which saves bandwidth costs and improvesscalability of the DNS cloud security system 101.

Additional details regarding the operation of the network architecture100A are discussed in “Cisco® SD-WAN Design Guide,” Cisco® Systems, Inc.(October 2018) and “Cisco® SD-WAN Deployment Guide,” Cisco® Systems,Inc. (October 2018), which are incorporated herein by reference.

FIG. 2 illustrates an example of a network topology 200 for showingvarious aspects of the network architecture 100A. The network topology200 can include a management network 202, a pair of network sites 204Aand 204B (collectively, 204) (e.g., the data center(s) 150, the campusnetwork(s) 152, the branch office network(s) 154, the home officenetwork(s) 156, cloud service provider network(s), etc.), and a pair ofInternet transport networks 160A and 160B (collectively, 160). Themanagement network 202 can include one or more network orchestratorappliances 104, one or more network management appliance 122, and one ormore network controller appliances 132. Although the management network202 is shown as a single network in this example, one of ordinary skillin the art will understand that each element of the management network202 can be distributed across any number of networks and/or beco-located with the sites 204. In this example, each element of themanagement network 202 can be reached through either transport network160A or 160B.

Each site can include one or more endpoints 206 connected to one or moresite network devices 208. The endpoints 206 can include general purposecomputing devices (e.g., servers, workstations, desktop computers,etc.), mobile computing devices (e.g., laptops, tablets, mobile phones,etc.), wearable devices (e.g., watches, glasses or other head-mounteddisplays (HMDs), ear devices, etc.), and so forth. The endpoints 206 canalso include Internet of Things (IoT) devices or equipment, such asagricultural equipment (e.g., livestock tracking and management systems,watering devices, unmanned aerial vehicles (UAVs), etc.); connected carsand other vehicles; smart home sensors and devices (e.g., alarm systems,security cameras, lighting, appliances, media players, HVAC equipment,utility meters, windows, automatic doors, door bells, locks, etc.);office equipment (e.g., desktop phones, copiers, fax machines, etc.);healthcare devices (e.g., pacemakers, biometric sensors, medicalequipment, etc.); industrial equipment (e.g., robots, factory machinery,construction equipment, industrial sensors, etc.); retail equipment(e.g., vending machines, point of sale (POS) devices, Radio FrequencyIdentification (RFID) tags, etc.); smart city devices (e.g., streetlamps, parking meters, waste management sensors, etc.); transportationand logistical equipment (e.g., turnstiles, rental car trackers,navigational devices, inventory monitors, etc.); and so forth.

The site network devices 208 can include physical or virtual switches,routers, and other network devices. Although the site 204A is shownincluding a pair of site network devices and the site 204B is shownincluding a single site network device in this example, the site networkdevices 208 can comprise any number of network devices in any networktopology, including multi-tier (e.g., core, distribution, and accesstiers), spine-and-leaf, mesh, tree, bus, hub and spoke, and so forth.For example, in some embodiments, one or more data center networks mayimplement the Cisco® Application Centric Infrastructure (ACI)architecture and/or one or more campus networks may implement the Cisco®Software Defined Access (SD-Access or SDA) architecture. The sitenetwork devices 208 can connect the endpoints 206 to one or more edgenetwork devices 142, and the edge network devices 142 can be used todirectly connect to the transport networks 160.

In some embodiments, “color” can be used to identify an individual WANtransport network, and different WAN transport networks may be assigneddifferent colors (e.g., mpls, private1, biz-internet, metro-ethernet,lte, etc.). In this example, the network topology 200 can utilize acolor called “biz-internet” for the Internet transport network 160A anda color called “public-internet” for the Internet transport network160B.

In some embodiments, each edge network device 142 can form a DatagramTransport Layer Security (DTLS) or TLS control connection to the networkcontroller appliance(s) 132 and connect to any network control appliance132 over each transport network 160. In some embodiments, the edgenetwork devices 142 can also securely connect to edge network devices inother sites via IPSec tunnels. In some embodiments, the BFD protocol maybe used within each of these tunnels to detect loss, latency, jitter,and path failures.

On the edge network devices 142, color can be used help to identify ordistinguish an individual WAN transport tunnel (e.g., no same color maybe used twice on a single edge network device). Colors by themselves canalso have significance. For example, the colors metro-ethernet, mpls,and private1, private2, private3, private4, private5, and private6 maybe considered private colors, which can be used for private networks orin places where there is no NAT addressing of the transport IP endpoints(e.g., because there may be no NAT between two endpoints of the samecolor). When the edge network devices 142 use a private color, they mayattempt to build IPSec tunnels to other edge network devices usingnative, private, underlay IP addresses. The public colors can include3g, biz, internet, blue, bronze, custom1, custom2, custom3, default,gold, green, lte, public-internet, red, and silver. The public colorsmay be used by the edge network devices 142 to build tunnels to post-NATIP addresses (if there is NAT involved). If the edge network devices 142use private colors and need NAT to communicate to other private colors,the carrier setting in the configuration can dictate whether the edgenetwork devices 142 use private or public IP addresses. Using thissetting, two private colors can establish a session when one or both areusing NAT.

FIG. 3 illustrates an example of a diagram 300 showing the operation ofOMP, which may be used in some embodiments to manage an overlay of anetwork (e.g., the network architecture 100). In this example, OMPmessages/updates can include new category of messages for Security andDNS threat is a sub-category of Security. The threat signature 105detected by the edge network device 142 a, 302A and 302B (collectively,302) may be transmitted back and forth between the network controllerappliance 132 and the edge network devices 142A and 142B, respectively,where control plane information, such as route prefixes, next-hoproutes, crypto keys, policy information, and so forth, can be exchangedover respective secure DTLS or TLS connections 304A and 304B. Thenetwork controller appliance 132 can operate similarly to a routereflector. For example, the network controller appliance 132 can receiveroutes from the edge network devices 142, process and apply any policiesto them, and advertise routes to other edge network devices 142 in theoverlay. If there is no policy defined, the edge network devices 142 maybehave in a manner similar to a full mesh topology, where each edgenetwork device 142 can connect directly to another edge network device142 at another site and receive full routing information from each site.

OMP can advertise three types of routes:

-   -   OMP routes, which can correspond to prefixes that are learned        from the local site, or service side, of the edge network device        142. The prefixes can be originated as static or connected        routes, or from within, for example, the OSPF or BGP protocols,        and redistributed into OMP so they can be carried across the        overlay. OMP routes can advertise attributes such as transport        location (TLOC) information (which can similar to a BGP next-hop        IP address) and other attributes such as origin, originator,        preference, site identifier, tag, and virtual private network        (VPN). An OMP route may be installed in the forwarding table if        the TLOC to which it points is active.    -   TLOC routes, which can correspond to logical tunnel termination        points on the edge network devices 142 that connect into the        transport networks 160. In some embodiments, a TLOC route can be        uniquely identified and represented by a three-tuple, including        an IP address, link color, and encapsulation (e.g., Generic        Routing Encapsulation (GRE), IPSec, etc.). In addition to system        IP address, color, and encapsulation, TLOC routes can also carry        attributes such as TLOC private and public IP addresses,        carrier, preference, site identifier, tag, and weight. In some        embodiments, a TLOC may be in an active state on a particular        edge network device 142 when an active BFD session is associated        with that TLOC.    -   Service routes, which can represent services (e.g., firewall,        distributed denial of service (DDoS) mitigator, load balancer,        intrusion prevent system (IPS), intrusion detection systems        (IDS), WAN optimizer, etc.) that may be connected to the local        sites of the edge network devices 142 and accessible to other        sites for use with service insertion. In addition, these routes        can also include VPNs; the VPN labels can be sent in an update        type to tell the network controller appliance 132 what VPNs are        serviced at a remote site.

In the example of FIG. 3, OMP is shown running over the DTLS/TLS tunnels304 established between the edge network devices 142 and the networkcontroller appliance 132. In addition, the diagram 300 shows an IPSectunnel 306A established between TLOC 308A and 308C over the WANtransport network 160A and an IPSec tunnel 306B established between TLOC308B and TLOC 308D over the WAN transport network 160B. Once the IPSectunnels 306A and 306B are established, BFD can be enabled across each ofthem. Updates sent via the service routes are covered in the IPSectunnels 306A and 306B. There are two types of updates when a localthreat is detected: (1) flow level (optional) —a flow- orapplication-based local security threat propagation to avoid doubleinspection at multiple points in a flow path, and meta data in the formof MPLS label can be sent across the IPSec tunnels 306A and 306B at flowlevel to a far end to prevent from going through a policy chain again;(2) controller level—DNS updates are sent in OMP to the networkcontroller appliance 132 so that other edge network devices 142 can beupdated with their local caches with the threat information.

FIG. 4A illustrates a diagram of a Software-Define Wide Area Network(SD-WAN) 400 showing how DNS security updates can be executed in a localWide Area Network (WAN) 401 in accordance with an embodiment. In oneembodiment, a first edge network device 142 a in the local WAN 401 maybe capable of subjecting traffic to a local domain name system (DNS)blacklist 103 a, advanced DNS security 414 via the DNS cloud securitysystem 101, and the locally-implemented advanced security policies 103b, whereas a second edge network device 142 b may only capable ofexecuting the local domain name system (DNS) blacklist 103 a, and athird edge network device 142 c may only capable of executing the localDNS blacklist/whitelist 103 a and advanced DNS security 414 via the DNScloud security system 101.

A user via an endpoint 206 a can send a request 403 to the first edgenetwork device 142 a for accessing a particular domain wherein trafficassociated with the domain can be subjected to the local DNSblacklist/whitelist 103 a of the first edge network device 142 a toquery whether or not that domain is malicious. If the domain is listedin the local DNS blacklist 103 a, then the traffic can be blocked, andif the domain is not listed, the edge network device 142 a can push 405the domain to the advanced DNS security 414 at the DNS cloud securitysystem 101. If again the particular domain is not considered malicious,then, since the first edge network device 142 a has locally-implementedadvanced security policies 103 b, the first edge network device 142 acan subject the traffic to deeper security functions through thelocally-implemented advanced security policies 103 b. If thelocally-implemented advanced security policies 103 b find that theparticular domain should be blocked, then the edge network device 142 acan send an update 407 to the network management appliances 122.

The network management appliances 122 can check 411 with the DNS cloudsecurity system 101 and determine whether or not the verdict of thelocally-implemented advanced security policies 103 b matches that of theadvanced DNS security 414 at the DNS cloud security system 101. If itdoes not, the DNS cloud security system 101 can determine whether or notto updates its security policies. The advanced DNS security 414 can alsoindicate that the domain is cleared and add the domain to a whitelist.The network management appliances 122 can then propagate a securitypolicy update 409, whether it is adding the domain to a blacklist or awhitelist, regarding the domain to the other edge network devices 142 b,12 bc that do not have the capabilities of running thelocally-implemented advanced security policies 103 b. The DNS cloudsecurity system 101 may also determine over time that the domain is nolonger malicious and can update 411 the network management appliances122 to propagate another security policy update 409 to the edge networkdevices 142. Furthermore, if the threat of the domain is severe enough,the DNS cloud security system 101 may send a security policy update 413regarding the domain with respect to other networks 415 that it serves.

FIG. 4B illustrates a diagram 450 showing a policy hierarchy of thesecurity policies that can be executed on the edge network devices 142in accordance with an embodiment. For the edge network devices 142 thatcan execute the locally-implemented advanced security policies 103 b,detected threats can be propagated to a particular device group, whichcan comprises all other edge network devices 142; only edge networkdevices 142 b, 142 c that do not have the locally-implemented advancedsecurity policies 103 b enabled; only edge network devices 142 b, 142 c,142 e that have the local DNS blacklist/whitelist 103 a enabled; or anyother customized subset of the edge network devices 142.

FIGS. 5A and 5B illustrate examples of a flow diagram of processes 500A,500B, respectively, for propagating security policies via SD-WAN inaccordance with an embodiment. One of ordinary skill will understoodthat, for any processes discussed herein, there can be additional,fewer, or alternative steps performed in similar or alternative orders,or in parallel, within the scope of the various embodiments unlessotherwise stated. For example, in step 502, one or more networkcontroller appliances 132 can receive an upstream message 107 a that caninclude a threat signature 105 associated with the threat detected bythe locally-implemented advanced security policies 103 b of theparticular edge network device 142 a. In order to improve response toemerging threats, in step 504, based on a deployed rules-based model,when the threat is detected across one or several edge network devices142, a temporary update is triggered to add the threat as a negative UTDresult collected by the network controller appliance 132 in a local DNSblacklist as the threats are received.

In step 506, the network controller appliance 132 can propagate and pushthe downstream messages 107 b that can include the threat signature 105of the learned threat to other edge network devices 142 b and/orbranches, in the same network or associated with a partner VPN, thathave not detected that threat. Every edge network device 142 can sendevents related to threats it has detected to the network controllerappliance 132. These events can be stored in an Elastic Search databaseand can be queried based on Device id, threat-id, IP addresses etc. TheElastic Search database can be used by the network controller appliance132 to determine which edge network devices 142 have not reported thisthreat. For example, threat signatures 105 may be transmitted to alldevices associated with a partner VPN. Thus, the one or more networkcontroller appliances 132 (e.g., one or more instances of a controllerlocated in the cloud) can enable edge-adjacent network-level monitoringand analytics.

In addition, the one or more network controller appliances 132 canoperate as a buffer between the edge network devices 142 and centralservers of the DNS cloud security system 101. In step 508, the networkcontroller appliance 132 can collect and process a stream of negativeUTD results and in step 509, send a pre-processed and condensed DNSblacklist to the DNS cloud security system 101 for use in enriching andupdating trustworthiness scores. The network controller appliance 132can maintain a list of Domains/Subdomains strings (keys) in awhitelist/blacklist and a changeset (new changes from the last sync withDNS cloud security system) with respect to DNS cloud security system101. Only the changes from the previous Sync time will be sent to DNScloud security system. This improves the response to new securitythreats and builds a scalable data pipeline. This can be leveragedacross different customers to improve a centralized list of the DNScloud security system 101 or leveraged in an analytics module used toidentify threat patterns in various networks 100.

To propagate security policies with respect to the particular edgenetwork device 142 a the detected a threat or clearance, first in step512, the edge network device 142 a can query the local DNSblacklist/whitelist 103 a on the edge network device 142 a regarding adomain. In step 514, the edge network device 142 a can push, in responseto a first answer that the domain is not on the local DNSblacklist/whitelist 103 a, a query regarding the domain to the advancedDNS security 414 at the DNS cloud security system 101. In step 516, theedge network device 142 a can query, in response to a second answer thatthe domain is cleared at the advanced DNS security 414, alocally-implemented advanced securities policy on the edge networkdevice. In step 518, the edge network device 142 a can detect a threatregarding the domain via the locally-implemented advanced securitiespolicy. In step 520, the particular edge network device 142 a can sendthe upstream message 107 a that can include the signature 105 associatedwith the threat or clearance detected by the edge network device 142 ato the network controller appliance 132 of the software-definedwide-area network 400. Optionally, the edge network devices 142 a candirectly notify the DNS cloud security system 101 to update its servers.

FIG. 6 illustrates an example of a network device 600 (e.g., switch,router, network appliance, etc.). The network device 600 can include amaster central processing unit (CPU) 602, interfaces 604, and a bus 606(e.g., a PCI bus). When acting under the control of appropriate softwareor firmware, the CPU 602 can be responsible for executing packetmanagement, error detection, and/or routing functions. The CPU 602preferably accomplishes all these functions under the control ofsoftware including an operating system and any appropriate applicationssoftware. The CPU 602 may include one or more processors 608 such as aprocessor from the Motorola family of microprocessors or the MIPS familyof microprocessors. In an alternative embodiment, the processor 608 canbe specially designed hardware for controlling the operations of thenetwork device 600. In an embodiment, a memory 610 (such as non-volatileRAM and/or ROM) can also form part of the CPU 602. However, there aremany different ways in which memory could be coupled to the system.

The interfaces 604 can be provided as interface cards (sometimesreferred to as line cards). The interfaces 604 can control the sendingand receiving of data packets over the network and sometimes supportother peripherals used with the network device 600. Among the interfacesthat may be provided are Ethernet interfaces, frame relay interfaces,cable interfaces, DSL interfaces, token ring interfaces, and the like.In addition, various very high-speed interfaces may be provided such asa fast token ring interface, wireless interface, Ethernet interface,Gigabit Ethernet interface, Asynchronous Transfer Mode (ATM) interface,High-Speed Serial Interface (HSSI), Packet Over SONET (POS) interface,Fiber Distributed Data Interface (FDDI), and the like. The interfaces604 may include ports appropriate for communication with the appropriatemedia. In some cases, the interfaces 604 may also include an independentprocessor and, in some instances, volatile RAM. The independentprocessors may control communication intensive tasks such as packetswitching, media control, and management. By providing separateprocessors for the communication intensive tasks, the interfaces 604 mayallow the CPU 602 to efficiently perform routing computations, networkdiagnostics, security functions, and so forth.

Although the system shown in FIG. 6 is an example of a network device ofan embodiment, it is by no means the only network device architecture onwhich the subject technology can be implemented. For example, anarchitecture having a single processor that can handle communications aswell as routing computations and other network functions, can also beused. Further, other types of interfaces and media may also be used withthe network device 600.

Regardless of the network device's configuration, it may employ one ormore memories or memory modules (including the memory 610) configured tostore program instructions for general-purpose network operations andmechanisms for roaming, route optimization, and routing functionsdescribed herein. The program instructions may control the operation ofan operating system and/or one or more applications. The memory ormemories may also be configured to store tables such as mobilitybinding, registration, and association tables.

FIG. 7A and FIG. 7B illustrate systems in accordance with variousembodiments. The more appropriate system will be apparent to those ofordinary skill in the art when practicing the various embodiments.Persons of ordinary skill in the art will also readily appreciate thatother systems are possible.

FIG. 7A illustrates an example of a bus computing system 700 wherein thecomponents of the system are in electrical communication with each otherusing a bus 705. The computing system 700 can include a processing unit(CPU or processor) 710 and a system bus 705 that may couple varioussystem components including the system memory 715, such as read onlymemory (ROM) 720 and random access memory (RAM) 725, to the processor710. The computing system 700 can include a cache 712 of high-speedmemory connected directly with, in close proximity to, or integrated aspart of the processor 710. The computing system 700 can copy data fromthe memory 715, ROM 720, RAM 725, and/or storage device 730 to the cache712 for quick access by the processor 710. In this way, the cache 712can provide a performance boost that avoids processor delays whilewaiting for data. These and other modules can control the processor 710to perform various actions. Other system memory 715 may be available foruse as well. The memory 715 can include multiple different types ofmemory with different performance characteristics. The processor 710 caninclude any general purpose processor and a hardware module or softwaremodule, such as module 1 732, module 2 734, and module 3 736 stored inthe storage device 730, configured to control the processor 710 as wellas a special-purpose processor where software instructions areincorporated into the actual processor design. The processor 710 mayessentially be a completely self-contained computing system, containingmultiple cores or processors, a bus, memory controller, cache, etc. Amulti-core processor may be symmetric or asymmetric.

To enable user interaction with the computing system 700, an inputdevice 745 can represent any number of input mechanisms, such as amicrophone for speech, a touch-protected screen for gesture or graphicalinput, keyboard, mouse, motion input, speech and so forth. An outputdevice 735 can also be one or more of a number of output mechanismsknown to those of skill in the art. In some instances, multimodalsystems can enable a user to provide multiple types of input tocommunicate with the computing system 700. The communications interface740 can govern and manage the user input and system output. There may beno restriction on operating on any particular hardware arrangement andtherefore the basic features here may easily be substituted for improvedhardware or firmware arrangements as they are developed.

The storage device 730 can be a non-volatile memory and can be a harddisk or other types of computer readable media which can store data thatare accessible by a computer, such as magnetic cassettes, flash memorycards, solid state memory devices, digital versatile disks, cartridges,random access memory, read only memory, and hybrids thereof.

As discussed above, the storage device 730 can include the softwaremodules 732, 734, 736 for controlling the processor 710. Other hardwareor software modules are contemplated. The storage device 730 can beconnected to the system bus 705. In some embodiments, a hardware modulethat performs a particular function can include a software componentstored in a computer-readable medium in connection with the necessaryhardware components, such as the processor 710, bus 705, output device735, and so forth, to carry out the function.

FIG. 7B illustrates an example architecture for a chipset computingsystem 750 that can be used in accordance with an embodiment. Thecomputing system 750 can include a processor 755, representative of anynumber of physically and/or logically distinct resources capable ofexecuting software, firmware, and hardware configured to performidentified computations. The processor 755 can communicate with achipset 760 that can control input to and output from the processor 755.In this example, the chipset 760 can output information to an outputdevice 765, such as a display, and can read and write information tostorage device 770, which can include magnetic media, solid state media,and other suitable storage media. The chipset 760 can also read datafrom and write data to RAM 775. A bridge 780 for interfacing with avariety of user interface components 785 can be provided for interfacingwith the chipset 760. The user interface components 785 can include akeyboard, a microphone, touch detection and processing circuitry, apointing device, such as a mouse, and so on. Inputs to the computingsystem 750 can come from any of a variety of sources, machine generatedand/or human generated.

The chipset 760 can also interface with one or more communicationinterfaces 790 that can have different physical interfaces. Thecommunication interfaces 790 can include interfaces for wired andwireless LANs, for broadband wireless networks, as well as personal areanetworks. Some applications of the methods for generating, displaying,and using the technology disclosed herein can include receiving ordereddatasets over the physical interface or be generated by the machineitself by the processor 755 analyzing data stored in the storage device770 or the RAM 775. Further, the computing system 750 can receive inputsfrom a user via the user interface components 785 and executeappropriate functions, such as browsing functions by interpreting theseinputs using the processor 755.

It will be appreciated that computing systems 700 and 750 can have morethan one processor 710 and 755, respectively, or be part of a group orcluster of computing devices networked together to provide greaterprocessing capability.

For clarity of explanation, in some instances the various embodimentsmay be presented as including individual functional blocks includingfunctional blocks comprising devices, device components, steps orroutines in a method embodied in software, or combinations of hardwareand software.

In some embodiments the computer-readable storage devices, mediums, andmemories can include a cable or wireless signal containing a bit streamand the like. However, when mentioned, non-transitory computer-readablestorage media expressly exclude media such as energy, carrier signals,electromagnetic waves, and signals per se.

Methods according to the above-described examples can be implementedusing computer-executable instructions that are stored or otherwiseavailable from computer readable media. Such instructions can comprise,for example, instructions and data which cause or otherwise configure ageneral purpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.Portions of computer resources used can be accessible over a network.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, firmware, orsource code. Examples of computer-readable media that may be used tostore instructions, information used, and/or information created duringmethods according to described examples include magnetic or opticaldisks, flash memory, USB devices provided with non-volatile memory,networked storage devices, and so on.

Devices implementing methods according to these disclosures can comprisehardware, firmware and/or software, and can take any of a variety ofform factors. Some examples of such form factors include general purposecomputing devices such as servers, rack mount devices, desktopcomputers, laptop computers, and so on, or general purpose mobilecomputing devices, such as tablet computers, smart phones, personaldigital assistants, wearable devices, and so on. Functionality describedherein also can be embodied in peripherals or add-in cards. Suchfunctionality can also be implemented on a circuit board among differentchips or different processes executing in a single device, by way offurther example.

The instructions, media for conveying such instructions, computingresources for executing them, and other structures for supporting suchcomputing resources are means for providing the functions described inthese disclosures.

Although a variety of examples and other information was used to explainaspects within the scope of the appended claims, no limitation of theclaims should be implied based on particular features or arrangements insuch examples, as one of ordinary skill would be able to use theseexamples to derive a wide variety of implementations. Further andalthough some subject matter may have been described in languagespecific to examples of structural features and/or method steps, it isto be understood that the subject matter defined in the appended claimsis not necessarily limited to these described features or acts. Forexample, such functionality can be distributed differently or performedin components other than those identified herein. Rather, the describedfeatures and steps are disclosed as examples of components of systemsand methods within the scope of the appended claims.

1. An edge network device, comprising: one or more processors; and oneor more non-transitory computer-readable medium that includecomputer-readable instructions stored thereon, which when executed bythe one or more processors, cause the one or more processors to: query alocal domain name system (DNS) blacklist/whitelist regarding a domain;push, in response to a first answer that the domain is not on the localDNS blacklist/whitelist, a query regarding the domain to an advanced DNSsecurity at an associated cloud security system; query, in response to asecond answer that the domain is cleared at the advanced DNS security, alocally-implemented advanced securities policy on the edge networkdevice; detect a threat or clearance regarding an associated domain viathe locally-implemented advanced securities policy; and send an upstreamupdate from the edge network device.
 2. The edge device of claim 1,wherein the upstream update includes a signature associated with thedetected threat or clearance to a network controller appliance.
 3. Theedge network device of claim 2, wherein the network controller applianceis of a software-defined wide-area network.
 4. An edge network device ofclaim 1, further comprising instructions which when executed by the oneor more processors, causes the one or more processors to: notify theassociated cloud security system to update its DNS blacklist/whitelistwith respect to the threat.
 5. The edge network device of claim 1,further comprising instructions which when executed by the one or moreprocessors, causes the one or more processors to: receive an update fromthe network controller appliance to void the detected threat and placethe domain on the local DNS whitelist.
 6. The edge network device ofclaim 5, wherein the advanced security policy is one of the followingpolicies: Unified Threat Defense (UTD), IPSec/SSL Intrusion Detectionand Prevention System (IPS/IDS), Advanced Malware Protection (AMP),Anti-virus Protection (AV), Data Loss Prevention (DLP), ApplicationFirewall (AppFW), or Encrypted Traffic Analytics (ETA).
 7. The edgenetwork device of claim 1, wherein the upstream update is an OMPmessage.
 8. A method comprising: querying a local domain name system(DNS) blacklist/whitelist regarding a domain; pushing, in response to afirst answer that the domain is not on the local DNSblacklist/whitelist, a query regarding the domain to an advanced DNSsecurity at an associated cloud security system; querying, in responseto a second answer that the domain is cleared at the advanced DNSsecurity, a locally-implemented advanced securities policy on the edgenetwork device; detecting a threat or clearance regarding an associateddomain via the locally-implemented advanced securities policy; andsending an upstream update from the edge network device.
 9. The methodof claim 8, wherein the upstream update includes a signature associatedwith the detected threat or clearance to a network controller appliance.10. The method of claim 9, wherein the network controller appliance isof a software-defined wide-area network.
 11. An method of claim 8,further comprising: notifying the associated cloud security system toupdate its DNS blacklist/whitelist with respect to the threat.
 12. Themethod of claim 8, further comprising: receiving an update from thenetwork controller appliance to void the detected threat and place thedomain on the local DNS whitelist.
 13. The method of claim 12, whereinthe advanced security policy is one of the following policies: UnifiedThreat Defense (UTD), IPSec/SSL Intrusion Detection and PreventionSystem (IPS/IDS), Advanced Malware Protection (AMP), Anti-virusProtection (AV), Data Loss Prevention (DLP), Application Firewall(AppFW), or Encrypted Traffic Analytics (ETA).
 14. The method of claim8, wherein the upstream update is an OMP message.
 15. One or morenon-transitory computer-readable mediums that include computer-readableinstructions stored thereon, which when executed by one or moreprocessors, cause the one or more processors to: query a local domainname system (DNS) blacklist/whitelist regarding a domain; push, inresponse to a first answer that the domain is not on the local DNSblacklist/whitelist, a query regarding the domain to an advanced DNSsecurity at an associated cloud security system; query, in response to asecond answer that the domain is cleared at the advanced DNS security, alocally-implemented advanced securities policy on the edge networkdevice; detect a threat or clearance regarding an associated domain viathe locally-implemented advanced securities policy; and send an upstreamupdate from the edge network device.
 16. The one or more non-transitorycomputer-readable mediums of claim 15, wherein the upstream updateincludes a signature associated with the detected threat or clearance toa network controller appliance of a software-defined wide-area network.17. The one or more non-transitory computer-readable mediums of claim15, further comprising instructions which when executed by the one ormore processors, causes the one or more processors to: notify theassociated cloud security system to update its DNS blacklist/whitelistwith respect to the threat.
 18. The one or more non-transitorycomputer-readable mediums of claim 15, further comprising instructionswhich when executed by the one or more processors, causes the one ormore processors to: receive an update from the network controllerappliance to void the detected threat and place the domain on the localDNS whitelist.
 19. The one or more non-transitory computer-readablemediums of claim 18, wherein the advanced security policy is one of thefollowing policies: Unified Threat Defense (UTD), IPSec/SSL IntrusionDetection and Prevention System (IPS/IDS), Advanced Malware Protection(AMP), Anti-virus Protection (AV), Data Loss Prevention (DLP),Application Firewall (AppFW), or Encrypted Traffic Analytics (ETA). 20.The one or more non-transitory computer-readable mediums of claim 15,wherein the upstream update is an OMP message.